From fb75edde42ddb0652420f662fa692a8b36cfd02e Mon Sep 17 00:00:00 2001
From: radare <pancake@nopcode.org>
Date: Mon, 8 Jun 2015 12:11:30 +0200
Subject: [PATCH] Escape URL in quotes

The rest of fields are not even escaped which may result in remote code execution when executing the generated curl lines. This patch makes the har-to-curl at least work. But the rest of fields should be properly validated and filtered too.
---
 lib/har-to-curl.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/har-to-curl.js b/lib/har-to-curl.js
index 579e9b2..a70aade 100644
--- a/lib/har-to-curl.js
+++ b/lib/har-to-curl.js
@@ -79,5 +79,6 @@ harToCurl.fromEntry = function(entry) {
 		command += ' -d "' + entry.request.postData.text + '"';
 	}
 
-	return command + ' ' + entry.request.url;
+        var quoted_url = '"'+ entry.request.url.replace('\\','\\\\')+'"';
+	return command + ' ' + quoted_url;
 };